nanog mailing list archives
Re: What do you want your ISP to block today?
From: Jack Bates <jbates () brightok net>
Date: Sat, 30 Aug 2003 11:30:57 -0500
Rob Thomas wrote:
Oh, good gravy! I have a news flash for all of you "security experts" out there: The Internet is not one, big, coordinated firewall with a handy GUI, waiting for you to provide the filtering rules. How many of you "experts" regularly sniff OC-48 and OC-192 backbones for all those naughty packets? Do you really want ISPs to filter the mother of all ports-of-pain, TCP 80?
Yes. While I hate to admit it, the one thing worse than not applying filters is applying them incorrectly. A good example would be the icmp rate limits. It's one thing to shut off icmp, or even filtering 92 byte icmp. The second one rate-limits icmp echo/reply, they just destroyed the number one network troubleshooting and performance testing tool. If it was a full block, one would say "it's filtered". Yet with rate limiting, you just see sporatic results; sometimes good, sometimes high latency, sometimes dropped.
Filter edges, and if you apply a backbone filter, apply it CORRECTLY! Rate-limiting icmp is not correctly.
-Jack
Current thread:
- Re: What do you want your ISP to block today?, (continued)
- Re: What do you want your ISP to block today? Iljitsch van Beijnum (Aug 30)
- Re: What do you want your ISP to block today? Marshall Eubanks (Aug 30)
- What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?) Sean Donelan (Aug 30)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your bmanning (Aug 30)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your Owen DeLong (Aug 31)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?) Matthew Palmer (Aug 30)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?) Christopher X. Candreva (Aug 31)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?) Christopher X. Candreva (Aug 31)
- Re: What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?) Iljitsch van Beijnum (Aug 31)
- Re: What do you want your ISP to block today? Jack Bates (Aug 30)
- Re: What do you want your ISP to block today? Valdis . Kletnieks (Aug 29)